Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

CWmike writes "Eugene Kaspersky, the $800-million Russian cybersecurity tycoon, is, by his own account, out to 'save the world' with an exploit-proof operating system. Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran, this sounds like the impossible dream come true — the cyber version of a Star Wars force field. But on this side of that world in need of saving, the enthusiasm is somewhat tempered. One big worry: source. 'The real question is, do you trust the people who built your system? The answer had better be yes,' said Gary McGraw, CTO of Cigital. Kaspersky's products are among the top ranked worldwide, are used by an estimated 300 million people and are embraced by U.S. companies like Microsoft, Cisco and Juniper Networks. But while he considers himself at some level a citizen of the world, he has close ties to Russian intelligence and Vladimir Putin. Part of his education and training was sponsored by the KGB, he is a past Soviet intelligence officer (some suspect he has not completely retired from that role) and he is said have a 'deep and ongoing relationship with Russia's Federal Security Service, or FSB,' the successor to the KGB and the agency that operates the Russian government's electronic surveillance network."

Being tied to them doesn't necessarily mean a whole lot. The Russians have as much of a vested interest as everyone else in spying on their friends and enemies, and while the roles may be reversed from NATO the russians are almost certainly spying on the Syrians and Iranians as much if not more than we are: The russians want to be sure they'll get paid.

Sure, it would be nice if there was a magical operating system not easily exploited by intelligence agencies or computers of any sort tied to any dubious g

So um, in bed with millions of people and thousands of corporations from DOZENS of different countries? Yeah, certainly there are no conflicting interests in that bed... Sheesh, what is called insightful post today.

Doesn't this equally apply to all software vendors, irrespective of their nationality? And while we're at it: doesn't it ALSO apply equally well to hardware vendors? Do you really trust ASICs made in China, from blueprints drawn up in UK from a company that may have a Pakistani mole in its dev team, who has been bought by the Russian FSB or the Brazilian equivalent of the CIA?

I didn't say it should be the job of only one person, obviously a big organisation will have many people on it. I only pointed out that software you don't have the source of shouldn't be trusted regardless of who is the developer.

I see what you did there! However, I think you misunderstand the halting problem: given a certain program, of course there may be a way to determine if it halts. However, the halting problem says that there is no algorithm that does this for all possible programs.

This is a very interesting move by Eugene Kaspersky. Speaking as both someone who has worked at an embedded systems manufacturer (VoIP telephony gear) and also as a competitor (antimalware) I know that each one has very specialized toolchain requirements and that expertise in one area does not necessarily translate to mastery of the other.

Probably more curious is the timing of the announcement: It seems an odd time for a Russian antimalware company whose founder has close ties to that country's intelligence agencies to announce a new operating system for critical infrastructure tasks, especially since the US House Intelligence Committee is tearing into Chinese telecom gear vendors Huawei Technologies and ZTE over concerns about the security of their products.

That said, while my interaction with Eugene Kaspersky over the past decade has been minimal, he has assembled a world-class group of researchers, and I would have no concerns about running any code written by them on any computer I own were I not a competitor.

That said, while my interaction with Eugene Kaspersky over the past decade has been minimal, he has assembled a world-class group of researchers, and I would have no concerns about running any code written by them on any computer I own were I not a competitor.

Regards,

Aryeh Goretsky

"I have little experience but trust him". Why? Considering this article specifically questions the integrity of his ability to be partial, you should say why.

And that is the bigger problem here: Kaspersky, by his own account, wants to change the world as well as save it, and not in ways that appeal to Western thinking and U.S. interests. Noah Schactman, in alengthy profile forWired.com, noted that Kaspersky doesn't like the current level of Internet freedom. He wants it partitioned, with a digital "passports" required for access to certain areas and activities. He advocates government monitoring and regulation of social networking sites.

Can you as a business trust ANYONE who says stuff like that to protect your critical infrastructure/production lines?

That is very annoying; especially considering that I'm a former McAfee employee from long ago (1989-1995). I will yell at^H^H^H^H^Hpolitely ask someone over there to fix it. Thanks for letting me know.

Regards,

Aryeh Goretsky

Is how McAfee SiteAdvisor flags your site as exhibiting "Risky Behaviour", warning me before even visiting...

As someone who's known Aryeh professionally over many years, I do know that he's well qualified to make these comments.

While I've never worked for a competitor, as he has, I have been at times extremely active in the antimalware circuit and do trust Kaspersky software. They're good people, and smart as hell, just need to work on improving their products some.

I do indeed avoid running or even looking at any competitor's antimalware product. A large part of that (the largest part, as a matter of fact) is because I believe my employer's software is the best. After all, if I did not believe that, I would not be working for them, would I? But the other part is because I have been deposed in numerous patent lawsuits over the years, and the last thing I want to do is get dragged into another one because of something I did.

If 1 and 2 were applicable, then it also possible that the person could be unemployed. There would be consequences for being unable to pay bills, of course, but they would still not be working at a place that they believed was not the best, which is what the GP had asserted.

Thinking about it further, it might be possible if you make it totally unusable. (No you can't install a browser (are you NUTS?), no you can't download a file, no you can't run a server, no you can't do anything, get away from my keyboard you LUSER!). Should be great fun.

IBM has a mainframe program named IEFBR14. Officially, it does absolutely nothing. It's a dummy program used for things like anchoring JCL file allocations.

There have been at least 5 releases of it, although one was an upgrade to 64-bit integers. The others all count as bugfixes. Because when it comes to computers, even doing nothing does something.

The first of them was, allegedly, the S/3x0 assembler-language and OS/360 equivalent of replacing

intmain(void){}

with

intmain(void){ return 0;}

as per this RISKS Digest message [ncl.ac.uk] (the OS/360 and C calling sequences both treat a return from the main program as an "exit", with the exit status being the numerical return value of the main program).

IBM has a mainframe program named IEFBR14. Officially, it does absolutely nothing. It's a dummy program used for things like anchoring JCL file allocations.

There have been at least 5 releases of it, although one was an upgrade to 64-bit integers. The others all count as bugfixes. Because when it comes to computers, even doing nothing does something.

The first of them was, allegedly, the S/3x0 assembler-language and OS/360 equivalent of replacing

intmain(void){}

with

intmain(void){ return 0;}

as per this RISKS Digest message [ncl.ac.uk] (the OS/360 and C calling sequences both treat a return from the main program as an "exit", with the exit status being the numerical return value of the main program).

Actually, I think it was more like:

"return x-x";"

And in rare cases, where "x" (actually the contents of General Register 15) had the right value in it, this would ABEND the program due to an arithmetic overflow error. Which lead to the second fix, which also had a bug...

I know its not exploit proof but becoming a platinum sponsor and insisting they spend the money on code review. Then make custom modifications to remove all functionality and you should get close.

If the people buying and operating these systems really cared about security I am sure they could piece together a far more secure solution at the expense of cost and convenience from current software.

That would be a good start, but you'd need some further work. Most notably, the scheduler - unless things have changed since 3.8, OpenBSD doesn't have a real-time, hard-constraint scheduler, which is an absolute necessity for such a system. And the scheduler is big and complex enough to be a security risk - so you'll spend quite a bit of effort to make sure your new one is secure.

But yeah, OpenBSD certainly wouldn't be the worst OS to start from for a project like this.

I think it would be great if he could actually pull this off. He's made himself into a huge target, though. Also, even if he does, our government would never use it, because they'd be worried about spying.

There are a lot of levels of trust. For a machine that doesn't handle anything secret or financial data (including personal), Windows is generally good enough, for all its long history of exploits. Even then, many, many people and organizations use it for things that are secret or financial data anyway. Sometimes they get burned that way. A Mac is (maybe) a little better. Linux is better still.

Then there's a level of trust way out at the extreme end. If the secrets are serious enough, you can't trust the system you built it yourself from source and audited every single line of said source. Since hardly anyone can do that, having it audited and built by people you trust (in the case of the government, the NSA, for example) has to due. If it's even more sensitive, the network, or maybe even the machine, should also be air-gapped.

If you have a sensitive use case such as, oh, I don't know, running centrifuges to enrich uranium, should you trust a binary OS that wasn't built by your people to be either secure against exploits or to not be already trojaned? Of course not. Just ask the Iranians. Or the Russians themselves, who had a little refinery trouble during the cold war because of that.

In such a case, you either want your people writing the code, or at least very carefully auditing every single line of the source, then building the binaries from that code. If you don't or can't, especially in the case of embedded systems, you cannot have any confidence that software is even secure against exploits, let alone that it won't turn on you.

1 - The cold war is over. Capitalism won (not democracy).
2 - If I had a choice between something checked by the Russians, the US and the Chinese, the only one I would flat out reject would be the Chinese one. I see US spooks as no more concerned with my happiness and wellbeing than Russian ones.

the american spooks will fuck you up for doing something against their geopolitical agenda

so will the russians. but in addition, the russian spooks will fuck you up for doing something against the russian political status quo (and of course, the chinese too)

america has going for it a genuinely much better tolerance for political dissent. you can say things about obama you can't say about putin or hu jintao. and that matters, it really matters

but if you want to belittle that difference, you probably live in the west and have a well established antiestablishment attitude

ok, now try that same antiestablishment attitude against moscow... in moscow. or against beijing... in beijing. exactly: your attitude just tells us you don't appreciate what you have

in short, there is no nation you can fully trust. only differences in degrees. and the usa currently leads the list of trustworthiness of the superpowers. not that the usa doesn't have a lot of room for improvement. and not that it can't backslide. but currently it's the shinest piece of crap on top of the shit pile

There is nobody you can completely trust. In fact, the idea of completely trusting anything or anyone doesn't even make sense.

You might trust your antivirus vendor to not maliciously plant viruses into your system, but you can be sure that they aren't out to make sure that their protection doesn't cost you as much as they can reasonably get out of somebody's back pocket. Further, if they didn't have that financial interest, they wouldn't have an interest in providing any kind of service to you at all.

2 - If I had a choice between something checked by the Russians, the US and the Chinese, the only one I would flat out reject would be the Chinese one. I see US spooks as no more concerned with my happiness and wellbeing than Russian ones.

What are you? Some kind of multinational Corporation? Or are you originally from Tibet?

Personally, I'm just a nobody living in the US. I'm much more afraid of the US authorities than any other foreign government.

Now if I was a nobody living in China, then yes, I might fear the Chinese government, but as it stands, China can't audit my taxes, only the US can audit my taxes. The same goes for my personal life, my voting record, my patriotism, my religious fervor, my sexual preference, or my music collection.

What you should fear, then, is the USA using "flaws" in Chinese gear to spy on you. Do you _really_ think the world's major powers are _enemies_ at this point? A war on their own soil would be proof of real enmity, but all the wars are fought through proxies.

What you should fear, then, is the USA using "flaws" in Chinese gear to spy on you. Do you _really_ think the world's major powers are _enemies_ at this point? A war on their own soil would be proof of real enmity, but all the wars are fought through proxies.

By that logic, the USSR and US were not enemies during the Cold War, either.

Between nuclear powers with robust second strike capabilities, direct shooting wars are extremely unlikely. It doesn't mean they aren't maneuvering for the others' complete annihilation, just that they aren't willing to blow up the entire planet to bring it about.

That said, I don't believe the US, China, or Russia can be considered "enemies". They are dynamic relationships where the countries can be opposed on some issues and alli

This idea that we could build a magical "exploit proof" OS if only we want to bad enough is stupid. While some exploits happen because of stupid design decisions, far more happen because of simple unintended consequences.

With an OS you are in the difficult position of needing to offer access but trying to keep out unauthorized access, and to do so in an ecosystem of arbitrary software on the system. That's a real hard problem to solve. Any time you build a door, it can be used for both wanted and unwanted v

Kaspersky is foolish. I make OSs too, and there can be no Exploit Proof OS. You can't make an exploit proof OS on insecure hardware. DMA == Direct Memory Access. [wikipedia.org] Any device that uses DMA (and there are tons: PCI, Firewire, etc.), can read and write all memory everywhere in the system without any software being able to stop them. Look, I'm all for creating a very secure OS, but first we must create secure HARDWARE. It's not as if the OS can protect itself from exploitable hardware with firmware bugs.

It is possible, Kaspersky wrote, because it will not be something for the masses, but, "highly tailored, developed for solving a specific narrow task, and not intended for playing 'Half-Life' on, editing your vacation videos, or blathering on social media."

Linux + SELinux, (SELinux, which was originally built by the NSA for those who don't know enough history to realise) is an operating system with an immutable watchdog. What more do you want?

If you have the source code and the policies, both of which can be externally audited, how can you (As an external person) screw this up?

I remember back in the old old Solaris days dealing with buffer overflows in the driver stack to get remote root, but those days are gone, you would never get that permission to access that executable, let alone open a socket.

If you've got SELinux + policies it's here and it's here now.

Just in case you think this is a pro-Linux rant...

Microsoft have spent a truck load of money on "trustworthy computing" to find new exploits, to the extent that they have honeypots to find new stuff for back testing.

They don't have a watchdog yet, they've started with Windows Defender, but that's nowhere near low level enough yet, and the whole anti-competitive landscape, plus developer buy in (And unfortunately a lot of devs don't know exactly what they're really doing) makes it difficult to say the least. They are still a couple of OS released away from making it work.

Linux + SELinux, (SELinux, which was originally built by the NSA for those who don't know enough history to realise) is an operating system with an immutable watchdog. What more do you want?

SELinux wasn't intended to be highly secure. It's an add-on to Linux, after all, not a new OS. The purpose of SELinux was to get a mandatory-security system out and widely used so that applications would be written to run under tight restrictions. Read what NSA originally wrote about it.

A big problem with secure operating systems is getting applications to run in a secure environment. That means saying "no" a lot. No, your game can't find out what else is running. No, Photoshop can't snoop the LAN for o

The problem is that academic microkernels, Mach in particular, suck. Mach is a BSD derivative.
QNX is quite good. You pay some extra copying overhead, maybe 10-20% of CPU time, or a few months of Moore's Law, for message passing. The microkernel itself is about 60K of code. There's hope of getting something that small perfect. QNX, though, is not intended to be a high-security system; its purpose is to be a high reliability real-time system with repeatable response time.

Kaspersky's not looking to build a general purpose OS. He's looking at something with a very narrow functionality, even tighter than an embedded OS like WinCE. We're talking punchcard-programming-level here with maybe a little seed input, like a computer controlled cutting machine. OK, there are those (like in Home Depot or Homebase) that use x86 and DOS to control the machines, but they started with pattern cards that were fed into a box. x86 was adopted because more functionality, such has ad-hoc or one-o

I often hear of "Russian hackers" and the hacker scene is supposedly pretty big, and I've always wondered to what extent the government there had a hand in that. Anyone here have any experience with the Russian scene?

Russia and the former soviet states:1. A strong educational system (that is churning out computer scientists)2. Lack of opportunities in the computer science field3. No laws to curtail computer crime or minimal enforcement where laws exist.4. Strong tradition of organized crime

Mix all these things together and you get hotspots of computer crime.There are towns where you can find everything starting with the guy who is writing the malware,to the guy translating your website/e-mail into english, and ending with the guys who cash out bank accounts and launder the money.

Decent science education, at least until recently. Besides, the Russian law enforcement has lots of blackhats on payroll, almost certainly, since that's exactly their MO. They are masters of spoofing, misinformation, and sabotage. I bet half the time China hacks US, it's actually Russians hacking China, and then US through China.

I often hear of "Russian hackers" and the hacker scene is supposedly pretty big, and I've always wondered to what extent the government there had a hand in that. Anyone here have any experience with the Russian scene?

There used to be one in the former USSR, since they couldn't really buy Western hardware. They had government-sponsored operations to buy foreign hardware through third parties, tear the hardware apart, and cloning it. I suppose the same thing was probably happening for pirating Western software as well, thought I'm not sure if the Soviet government was directly involved in that one. Pirating and writing software patches was just something everybody did since they couldn't buy Western software through norma

"Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran"

I'm worried by this blurring of distinctions in the historical significance of the two events. Whatever your political persuasion, Pearl Harbor was a de facto declaration of war. It was a strike against a military target carried out by a true nation state. The "9/11" terrorist attack was something else. It was carried out by an independent group that at worst can be described as being in an alliance of convenience with some foreign government.

By confusing our figures of speech for two clearly different types of cyberattacks, the danger is that the same counterattack methods will be used for both. Treating "9/11" as an act of war, and not simply as a well-coordinated distributed terrorist attack, led to a trillion-dollar War on Terror. On hindsight did it make sense to send out a nation's armies to deal with a few hundred suspected terrorists? Wouldn't it have been better if the intelligence agencies dealt with the issue, resorting to large military strikes only when the intelligence and situation warranted?

So now will the hometowns/countries of suspected Anonymous members be the target of the same massive disruption of IT services that US would launch in retaliaton for a supposed cyberattack from Iran or China?

While it would certainly be nice if this claim were true (I doubt it is), social engineering is a bigger problem and one that, one would think, we could see more benefit in working to eliminate than the benefit we might see from buying some outrageous claim.

... the real reason is you can have computers delay and analyze all incoming requests then pass the data on to the 'real computer' or you can keep your computers off the net and whitelist what it can communicate with. The only failure being the human element (who has access to your computers).

You can have high performance or tight security, pick one. The more "secure" you make a computer the more time you spend in observing and analyzing requests.

I confronted the problem of trust when evaluating PGP for private use. How could I be sure that PGP wasn't a ruse sponsored by the US government?

PGP was supposedly written by Phil Zimmerman, a counterculture hero. It's authenticity is vouched for by numerous institutions and academics.But I don't know Zimmerman personally,nor am I familiar with those institutions, nor do i know those academic names personally. On the other hand, i do know that criminal confidence men easily build up phones web sites mim

Given the uber-paranoid viewpoint of the Dept of Defense on things computer, does anyone know if Kaspersky's AV is not allowed on DOD computer systems? Not that the guys/gals running DOD cybersecurity are perfect and on top of things, but the are paranoid enough to be worried about KAV if they see K's involvement with the Russion government and/or crime syndicates as a potential problem.

Well yeah sure, given physical access. Physical access is a whole other ballgame as opposed to remotely hacking into that abacus and making it your own. Multi-user workgroups can get complicated though, while they do have advantages. So does cloud-computing from a distance.

An operating system is just an interface between the programs and the hardware. You can make a computer without an operating system if your programs just access the hardware directly. That is ok if you only write a few programs, when you need to write more it helps to produce a library of common routines to simplify programs access to the hardware. Something like a C: prompt is not the OS rather it is a program running on the OS that enables the user to load different programs into the computer.

The OS is just the basic software you need to use a computer. On a general purpose computer 'use' normally means to load an application. On a calculator, it just needs to handle input and output, so an argument could easily be made that it consists entirely of hardware and OS.

I didn't have a specific definition in mind, but was considering the fact that most computer science has mathematical underpinnings (for example, the Turing Machine). And when you look at almost any problem mathematically and abstractly, you tend to come up with variants that differ considerably from common usage. Which is, in fact one of the best reasons to do so, since the Way We've Always Done Things isn't always the best way for a given class of real-world problems.

If you accept the idea that products like Prime's RTOS are OS's, then the resulting Intel calculator did, in fact have an OS

This does not follow. An RTOS is indeed an OS, and I work with RTOSes every day, but an RTOS is still a piece of software that has a definition, and you can run an processor without an RTOS. I would assume most very simple calculators do run without even an RTOS. There is certainly nothing about the 4004 in your example that would force it to run an RTOS. It can, and did, run just fine without an OS, RTOS or not.

If you accept the idea that products like Prime's RTOS are OS's, then the resulting Intel calculator did, in fact have an OS

This does not follow. An RTOS is indeed an OS, and I work with RTOSes every day, but an RTOS is still a piece of software that has a definition, and you can run an processor without an RTOS. I would assume most very simple calculators do run without even an RTOS. There is certainly nothing about the 4004 in your example that would force it to run an RTOS. It can, and did, run just fine without an OS, RTOS or not.

In theory, ALL my programs have a definition, even if I sometimes despair of what they turn into in practice. That includes things like the control program that I used to develop for the 8085 that ran a sewage processing plant, or the core software that comes pre-installed in the Arduino and runs the user-written code.

The OS for a basic 4-banger calculator is typically going to be something like a master loop that invokes a keyboard scanning module, numeric encode/decode modules, an arithmetic function disp

Yeah, I think there's a sort of analogue to Godel's incompleteness theorems here, in that any computer powerful enough to be interesting is powerful enough to do things that some stakeholder didn't want and will consider an "exploit." Of course "exploit" is fundamentally a subjective label, so of course it can't be "solved," outside some more formal definition of "exploit" that will inevitably fall short of people's wishes.

Yeah, I think there's a sort of analogue to Godel's incompleteness theorems here, in that any computer powerful enough to be interesting is powerful enough to do things that some stakeholder didn't want and will consider an "exploit." Of course "exploit" is fundamentally a subjective label, so of course it can't be "solved," outside some more formal definition of "exploit" that will inevitably fall short of people's wishes.

Sounds like what I have started calling "My Law of Program Bugs", which states that no program of sufficient complexity can ever be bug-free. That somehow regression testing and simulation can never encompass the entire possible realm of user stupidity, and once you reach a certain level of complexity, that you will _never_ be _totally_ sure your program is _completely_ bug-free, or there is some obscure combination of seemingly impossible conditions that will screw it up, or expose a hidden bug.

For the highest levels of assurance, per the ISO/IEC 15408, there must be mathematical proofs that the implementation conforms to a mathematical model of security. If done this way, it doesn't matter that "any computer powerful enough to be interesting is powerful enough to do [other things]".

That's called "trying to define the problem away." The point is that the mathematical model of security will never capture all of the users' security needs because the basic objectives (e.g. "privacy") are not well-

I wish I had your calculator. Rouge hackers with physical access can cause a DOS attack by install masking tape over my calculator's solar cell and thus prevent useful operations until the tape is physically removed.

that's actually not that far from the truth, and certainly smart. Take a famous example: Kevin Mitnick. They had to pass laws that didn't previously exist to take him down. Now he's an information security consultant and global lecturer on how to secure your computer system and those who operate it. The security services in the US regularly perform stings to capture professional-level hackers and offer them a deal: become a nark or spend time in a small windowless room with a large black guy named Mo. Oh, a